Failover in a Media Access Control Security Capable Device
US-2018302269-A1 · Oct 18, 2018 · US
Fast heartbeat liveness between packet processing engines using media access control security (MACSEC) communication
US10637865B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10637865-B2 |
| Application number | US-201715785252-A |
| Country | US |
| Kind code | B2 |
| Filing date | Oct 16, 2017 |
| Priority date | Oct 16, 2017 |
| Publication date | Apr 28, 2020 |
| Grant date | Apr 28, 2020 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A device may include one or more processors to establish a media access control security (MACsec) key agreement (MKA) session between a first network device and a second network device via a MACsec link; establish a fast heartbeat session via the MACsec communication link, between a first packet processing engine of the first network device and a second packet processing engine of the second network device, to permit the first packet processing engine and the second packet processing engine to exchange fast heartbeat messages via the fast heartbeat session and the MACsec communication link; determine, based on the fast heartbeat session, that the MKA session has ended; and/or perform an action based on the MKA session ending.
First claim
Opening claim text (preview).
What is claimed is: 1. A device, comprising: one or more processors to: establish a media access control security (MACsec) key agreement (MKA) session between a first network device and a second network device via a MACsec communication link; establish a fast heartbeat session via the MACsec communication link, between a first packet processing engine of the first network device and a second packet processing engine of the second network device, to permit the first packet processing engine and the second packet processing engine to exchange fast heartbeat messages via the fast heartbeat session and the MACsec communication link, where the fast heartbeat messages are exchanged at a faster rate than MKA packet data of the MKA session; determine, based on the fast heartbeat session, that the MKA session has ended; and perform an action based on the MKA session ending. 2. The device of claim 1 , where the one or more processors, when establishing the fast heartbeat session, are to: transmit a request to establish the fast heartbeat session by sending a first fast heartbeat message, of the fast heartbeat messages, from the first packet processing engine to the second packet processing engine; and establish the fast heartbeat session after the first packet processing engine receives a second fast heartbeat message from the second packet processing engine. 3. The device of claim 1 , where the fast heartbeat messages are exchanged via a secure channel of the MACsec communication link. 4. The device of claim 1 , where the one or more processors, when determining that the MKA session has ended, are to: determine that the first network device or the second network device has been disconnected from the MKA session based on a fast heartbeat timeout interval expiring without exchanging fast heartbeat messages. 5. The device of claim 1 , where each of the fast heartbeat messages includes a type field indicating that the fast heartbeat message is a message of the fast heartbeat session, where the type field is populated by the first packet processing engine or the second packet processing engine. 6. The device of claim 1 , where the one or more processors, when performing the action, are to: reinitiate the MKA session based on the MKA session ending. 7. A non-transitory computer-readable medium storing instructions, the instructions comprising: one or more instructions that, when executed by one or more processors, cause the one or more processors to: establish an media access control security (MACsec) key agreement (MKA) session between a first network device and a second network device via a MACsec communication link to send MKA packet data; establish a fast heartbeat session via the MACsec communication link between a first packet processing engine of the first network device and a second packet processing engine of the second network device to permit the first packet processing engine and the second packet processing engine to exchange fast heartbeat messages via the fast heartbeat session and the MACsec communication link at a faster rate than MKA packet data of the MKA session; determine, based on the fast heartbeat session, that the first network device or the second network device has been disconnected from the MKA session; and perform an action based on the determining that the first network device or the second network device has been disconnected from the MKA session. 8. The non-transitory computer-readable medium of claim 7 , where the one or more instructions, that cause the one or more processors to establish the fast heartbeat session, cause the one or more processors to: transmit a request to establish the fast heartbeat session by sending a first fast heartbeat message, of the fast heartbeat messages, from the first packet processing engine to the second packet processing engine; determine that the second network device is capable of establishing the fast heartbeat session after the first packet processing engine receives a second heartbeat message, of the fast heartbeat messages, from the second packet processing engine; and establish the fast heartbeat session by sending a third fast heartbeat message of the fast heartbeat messages from the first packet processing engine to the second packet processing engine. 9. The non-transitory computer-readable medium of claim 7 , where the first packet processing engine and the second packet processing engine indicate that the fast heartbeat messages are messages of the fast heartbeat session by populating a field of the fast heartbeat messages with particular data identifying the fast heartbeat messages as messages of the fast heartbeat session. 10. The non-transitory computer-readable medium of claim 7 , where the first packet processing engine of the first network device and the second packet processing engine of the second network device populate at least one of: an ether type field of a fast heartbeat message of the fast heartbeat messages, a type field of a fast heartbeat message of the fast heartbeat messages, or a length field of a fast heartbeat message of the fast heartbeat messages, and a first MKA daemon of the first network device and a second MKA daemon of the second network device populate at least one of: a destination address field of a fast heartbeat message of the fast heartbeat messages, a source address field of a fast heartbeat message of the fast heartbeat messages, a secure channel identifier (SCI) field of a fast heartbeat message of the fast heartbeat messages, a member identifier field of a fast heartbeat message of the fast heartbeat messages, a member number field of a fast heartbeat message of the fast heartbeat messages, or a connectivity association key (CAK) name field of a fast heartbeat message of the fast heartbeat messages. 11. The non-transitory computer-readable medium of claim 7 , where the fast heartbeat messages are unencrypted and are exchanged via a secure channel of the MACsec communication link. 12. The non-transitory computer-readable medium of claim 7 , where the one or more instructions, that cause the one or more processors to determine that the first network device or the second network device has been disconnected from the MKA session, cause the one or more processors to: determine that a fast heartbeat timeout interval has expired without receiving fast heartbeat messages; and determine that the first network device or the second network device has been disconnected from the MKA session based on determining that the fast heartbeat timeout interval has expired. 13. The non-transitory computer-readable medium of claim 7 , where the one or more instructions, that cause the one or more processors to perform the action, cause the one or more processors to: reinitiate the MKA session. 14. A method, comprising: establishing an media access control security (MACsec) key agreement (MKA) session between a first network device and a second network device via a MACsec communication link; establishing a fast heartbeat session via the MACsec communication link between a first packet processing engine of the first network device and a second packet processing engine of the second network device to permit the first packet processing engine and the second packet processing engine to exchange fast heartbeat messages via the fast heartbeat session and the MACsec communication link, where the fast heartbeat messages are exchanged at a faster rate between the first packet processing engine and the second packet processing engine than MKA packet data of the MKA session are exchanged between a first MKA daemon of
Assignees
Inventors
Classifications
- H04L63/10Primary
for controlling access to devices or network resources · CPC title
wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption (cryptographic mechanisms or cryptographic arrangements for symmetric key encryption H04L9/06) · CPC title
Active monitoring, e.g. heartbeat, ping or trace-route · CPC title
Applying verification of the received information (cryptographic mechanisms or cryptographic arrangements for data integrity or data verification H04L9/32) · CPC title
for supporting key management in a packet data network (cryptographic mechanisms or cryptographic arrangements for key management H04L9/08) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10637865B2 cover?
- A device may include one or more processors to establish a media access control security (MACsec) key agreement (MKA) session between a first network device and a second network device via a MACsec link; establish a fast heartbeat session via the MACsec communication link, between a first packet processing engine of the first network device and a second packet processing engine of the second ne…
- Who is the assignee on this patent?
- Juniper Networks Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/10. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Apr 28 2020 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 3 related publications on this page (citations in our corpus or others sharing the same primary CPC).